155694 2016-03-19 20:32:33 -0700 Segfault when setting attribute value via DOM in WebKitGTK+2.4.10 2016-04-10 00:54:02 -0700 1 1 1 Unclassified WebKit WebKitGTK WebKit Local Build Unspecified Unspecified RESOLVED FIXED https://bugzilla.gnome.org/show_bug.cgi?id=764168 https://bugzilla.gnome.org/show_bug.cgi?id=763933 https://bugzilla.redhat.com/show_bug.cgi?id=1321722 P2 Normal --- 1 mike webkit-unassigned adam bugs-noreply cgarcia jdiggs mcatanzaro tpopela oldest_to_newest 1176560 0 mike 2016-03-19 20:32:33 -0700 WebKitGTK+ 2.4.10 seems to have introduced a bug that is causing a crash when loading HTML images in Geary (See https://bugzilla.gnome.org/show_bug.cgi?id=763933). This didn't occur using earlier versions of WebKitGTK+. Geary currently implements user-controlled image loading by what amounts to using a random scheme string for the IMG SRC attribute - when the user has assented to loading images for a specific message, it updates every IMG SRC attribute value to be prefixed with the random scheme. The crash occurs during this process, at random, when displaying a HTML message. A workaround exists in removing the src element first using webkit_dom_element_remove_attribute(), causing the subsequent call to webkit_dom_element_set_attribute() not crash. Workarounds that do not work include cloning the IMG element and setting the SRC element on that instead, nor does casting the element and using webkit_dom_html_image_element_set_src(). I didn't try creating a new Attr instance, setting the value on that, then setting that on the IMG element. I know you guys aren't interested in supporting 2.4.x, but I thought I'd log it since it's a regression with 2.4.10 (thanks for doing a new release, BTW!). Thread 1 "geary" received signal SIGSEGV, Segmentation fault. WebCore::AXObjectCache::handleAttributeChanged (this=0x7fff9191b500, attrName=..., element=0x5df8210) at ../Source/WebCore/accessibility/AXObjectCache.cpp:880 880 if (!attrName.localName().string().startsWith("aria-")) (gdb) bt #0 0x00007ffff4d8aae9 in WebCore::AXObjectCache::handleAttributeChanged(WebCore::QualifiedName const&, WebCore::Element*) (this=0x7fff9191b500, attrName=..., element=0x5df8210) at ../Source/WebCore/accessibility/AXObjectCache.cpp:880 #1 0x00007ffff4f8105a in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (this=0x5df8210, name=..., oldValue=..., newValue=...) at ../Source/WebCore/dom/Element.cpp:1137 #2 0x00007ffff4f80530 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (this=this@entry=0x5df8210, name=..., oldValue=..., newValue=...) at ../Source/WebCore/dom/Element.cpp:2851 #3 0x00007ffff4f8777d in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (this=this@entry=0x5df8210, index=<optimised out>, name=..., newValue=..., inSynchronizationOfLazyAttribute=inSynchronizationOfLazyAttribute@entry=WebCore::Element::NotInSynchronizationOfLazyAttribute) at ../Source/WebCore/dom/Element.cpp:1075 #4 0x00007ffff4f8494f in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&, int&) (this=this@entry=0x5df8210, localName=..., value=..., ec=@0x7fffffffddec: 0) at ../Source/WebCore/dom/Element.cpp:1027 #5 0x00007ffff5bd7a5c in webkit_dom_element_set_attribute(WebKitDOMElement*, gchar const*, gchar const*, GError**) (self=self@entry=0x5dcd0b0 [WebKitDOMHTMLImageElement], name=name@entry=0x6ac5bc "src", value=value@entry=0x5851a00 "glxaowieyx:http://www.outsideonline.com/sites/default/files/styles/img_600x339/public/cogburn-cb4.jpg?itok=04MxjrHH", error=error@entry=0x7fffffffded0) at DerivedSources/webkitdom/WebKitDOMElement.cpp:533 #6 0x00000000004d7e86 in conversation_viewer_show_images_email (self=self@entry=0xd46230 [ConversationViewer], email_element=0x5b59440 [WebKitDOMHTMLDivElement], remember=remember@entry=0) at /home/mjg/local/src/geary/src/client/conversation-viewer/conversation-viewer.vala:1497 ---Type <return> to continue, or q <return> to quit--- #7 0x00000000004dfbb0 in conversation_viewer_add_message (self=0xd46230 [ConversationViewer], email=0x7fff1400b770 [GearyEmail], is_in_folder=1) at /home/mjg/local/src/geary/src/client/conversation-viewer/conversation-viewer.vala:698 1176562 1 mike 2016-03-19 20:35:08 -0700 NB, while the crash occurs in WebCore::AXObjectCache::handleAttributeChanged, I don't think it's related to accessibility, by that stage attrName has gone bad: attrName.m_impl is pointing to an invalid memory location. 1178210 2 mike 2016-03-25 18:41:32 -0700 This seems to be not just limited to setting IMG SRC attributes. Geary is also occasionally crashing when pasting content into an editable web view, with a similar top of the stack, e.g.: https://bugzilla.gnome.org/show_bug.cgi?id=764168 They seem to be related in that in both cases, an attribute value is being set via the DOM API in a document that is already being displayed by a web view. 1180012 3 mcatanzaro 2016-04-01 19:29:41 -0700 We received 1333 reports of this crash from Evolution and Geary users in Fedora in the past two weeks. It is definitely a regression from the 2.4.10 update. There are possibly more reports, but since it's a WebKit1 crash the crashes get assigned to individual applications rather than to WebKit, making it impossible to search for them. I only checked Evolution and Geary. 1180013 4 mcatanzaro 2016-04-01 19:31:46 -0700 Also, I will just add we have several slight variations on this crash: https://retrace.fedoraproject.org/faf/problems/1886091/ https://retrace.fedoraproject.org/faf/problems/1875612/ https://retrace.fedoraproject.org/faf/problems/1888402/ https://retrace.fedoraproject.org/faf/problems/1864883/ 1180014 5 mcatanzaro 2016-04-01 19:34:03 -0700 (In reply to comment #2) > This seems to be not just limited to setting IMG SRC attributes. Geary is > also occasionally crashing when pasting content into an editable web view, > with a similar top of the stack, e.g.: > https://bugzilla.gnome.org/show_bug.cgi?id=764168 > > They seem to be related in that in both cases, an attribute value is being > set via the DOM API in a document that is already being displayed by a web > view. This is how Evolution is crashing as well (at least, it's the report for which we received a description and full backtrace, see the See Also field). 1180015 6 mcatanzaro 2016-04-01 19:44:17 -0700 (In reply to comment #5) > This is how Evolution is crashing as well (at least, it's the report for > which we received a description and full backtrace, see the See Also field). Sigh, I realize this is a private bug... I think thread 1 is probably the only important part; note the string "aria-" in the crash frame. Core was generated by `/usr/bin/evolution'. Program terminated with signal SIGSEGV, Segmentation fault. #0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString@entry=0x7f85ba36fea7 "aria-", matchLength=matchLength@entry=5, caseSensitive=caseSensitive@entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363 1363 if (matchLength > length()) [Current thread is 1 (Thread 0x7f85c0247ac0 (LWP 17496))] Thread 1 (Thread 0x7f85c0247ac0 (LWP 17496)): #0 WTF::StringImpl::startsWith (this=0xbad801d800000002, matchString=matchString@entry=0x7f85ba36fea7 "aria-", matchLength=matchLength@entry=5, caseSensitive=caseSensitive@entry=true) at Source/WTF/wtf/text/StringImpl.cpp:1363 No locals. #1 0x00007f85b8f3e00f in WTF::StringImpl::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/StringImpl.h:730 No locals. #2 WTF::String::startsWith<6u> (caseSensitive=true, prefix=..., this=<optimized out>) at Source/WTF/wtf/text/WTFString.h:281 No locals. #3 WebCore::AXObjectCache::handleAttributeChanged (this=0x7f851b997f00, attrName=..., element=0x558fcfb67cb0) at Source/WebCore/accessibility/AXObjectCache.cpp:880 No locals. #4 0x00007f85b91641ea in WebCore::Element::attributeChanged (this=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:1137 cache = <optimized out> styleResolver = <optimized out> testShouldInvalidateStyle = true shouldInvalidateStyle = <optimized out> #5 0x00007f85b9163520 in WebCore::Element::didModifyAttribute (this=this@entry=0x558fcfb67cb0, name=..., oldValue=..., newValue=...) at Source/WebCore/dom/Element.cpp:2851 No locals. #6 0x00007f85b916b449 in WebCore::Element::setAttributeInternal (this=0x558fcfb67cb0, index=<optimized out>, name=..., newValue=..., inSynchronizationOfLazyAttribute=WebCore::Element::NotInSynchronizationOfLazyAttribute) at Source/WebCore/dom/Element.cpp:1075 oldValue = {m_string = {m_impl = {m_ptr = 0x7f858c676000}}} valueChanged = <optimized out> attributeName = <optimized out> #7 0x00007f85b91de4b9 in WebCore::CompositeEditCommand::applyCommandToComposite (this=this@entry=0x7f853a37c900, prpCommand=...) at Source/WebCore/editing/CompositeEditCommand.cpp:278 command = {m_ptr = 0x7f853a56ad20} #8 0x00007f85b91e4f1a in WebCore::CompositeEditCommand::setNodeAttribute (this=this@entry=0x7f853a37c900, element=..., attribute=..., value=...) at Source/WebCore/editing/CompositeEditCommand.cpp:664 No locals. #9 0x00007f85b926c8f9 in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline (this=this@entry=0x7f853a37c900, insertedNodes=...) at Source/WebCore/editing/ReplaceSelectionCommand.cpp:525 element = 0x558fcfb67cb0 inlineStyle = 0x7f853a3cb410 newInlineStyle = {m_ptr = 0x7f851b975b70} node = {m_ptr = 0x558fcfb67cb0} next = {m_ptr = 0x558fd14d9630} #10 0x00007f85b926f714 in WebCore::ReplaceSelectionCommand::doApply (this=0x7f853a37c900) at Source/WebCore/editing/ReplaceSelectionCommand.cpp:1151 selection = {m_base = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_extent = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_start = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_end = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM, m_selectionType = WebCore::VisibleSelection::CaretSelection, m_baseIsFirst = true, m_isDirectional = true} fragment = {m_document = {m_ptr = 0x7f853a276d00}, m_fragment = {m_ptr = 0x558fd0f6ad00}, m_hasInterchangeNewlineAtStart = false, m_hasInterchangeNewlineAtEnd = false} visibleStart = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} visibleEnd = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} selectionEndWasEndOfParagraph = true selectionStartWasStartOfParagraph = true startBlock = <optimized out> insertionPos = {m_anchorNode = {m_ptr = 0x558fd16cd1b0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true} startIsInsideMailBlockquote = false selectionIsPlainText = <optimized out> currentRoot = <optimized out> endBR = <optimized out> originalVisPosBeforeEndBR = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd02d50a0}, m_offset = 0, m_anchorType = 1, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} insertionBlock = {m_ptr = 0x558fcff56940} insertedNodes = {m_firstNodeInserted = {m_ptr = 0x558fcfb67cb0}, m_lastNodeInserted = {m_ptr = 0x558fd1a7b1f0}} refNode = {m_ptr = 0x558fd1a7b1f0} node = <optimized out> blockStart = <optimized out> plainTextFragment = false startOfInsertedContent = {m_deepPosition = {m_anchorNode = {m_ptr = 0x558fd14d9630}, m_offset = 0, m_anchorType = 0, m_isLegacyEditingPosition = true}, m_affinity = WebCore::DOWNSTREAM} lastPositionToSelect = {m_anchorNode = {m_ptr = 0x558fd1a7b1f0}, m_offset = -1204594578, m_anchorType = 5, m_isLegacyEditingPosition = false} #11 0x00007f85b91de107 in WebCore::CompositeEditCommand::apply (this=0x7f853a37c900) at Source/WebCore/editing/CompositeEditCommand.cpp:227 No locals. #12 0x00007f85b91de21d in WebCore::applyCommand (command=...) at Source/WebCore/editing/CompositeEditCommand.cpp:182 No locals. #13 0x00007f85b9207946 in WebCore::executeInsertFragment (frame=..., fragment=...) at Source/WebCore/editing/EditorCommand.cpp:195 No locals. #14 0x00007f85b9207df1 in WebCore::executeInsertHTML (frame=..., value=...) at Source/WebCore/editing/EditorCommand.cpp:508 No locals. #15 0x00007f85b913c9df in WebCore::Document::execCommand (this=this@entry=0x7f853a276d00, commandName=..., userInterface=<optimized out>, value=...) at Source/WebCore/dom/Document.cpp:4227 No locals. #16 0x00007f85b9e5d5dd in webkit_dom_document_exec_command (self=<optimized out>, command=<optimized out>, userInterface=userInterface@entry=0, value=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at DerivedSources/webkitdom/WebKitDOMDocument.cpp:1157 state = {m_previousState = 0x0} __PRETTY_FUNCTION__ = "gboolean webkit_dom_document_exec_command(WebKitDOMDocument*, const gchar*, gboolean, const gchar*)" item = 0x7f853a276d00 convertedCommand = {m_impl = {m_ptr = 0x7f853a45fa50}} convertedValue = {m_impl = {m_ptr = 0x7f853a278700}} result = <optimized out> #17 0x00007f85bfb7471b in e_html_editor_view_exec_command (view=view@entry=0x558fd0302790, command=command@entry=E_HTML_EDITOR_VIEW_COMMAND_INSERT_HTML, value=value@entry=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at e-html-editor-view.c:8915 document = <optimized out> cmd_str = <optimized out> has_value = <optimized out> __func__ = "e_html_editor_view_exec_command" #18 0x00007f85bfb638ab in e_html_editor_selection_insert_html (selection=0x558fd15c6c90, html_text=0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"...) at e-html-editor-selection.c:5673 view = 0x558fd0302790 command = E_HTML_EDITOR_VIEW_COMMAND_INSERT_HTML ev = 0x558fd13c0e00 html_mode = -1 __func__ = "e_html_editor_selection_insert_html" #19 0x00007f859c2caca4 in e_composer_paste_html (r=<optimized out>, clipboard=<optimized out>) at e-composer-private.c:533 editor = <optimized out> view = 0x558fd0302790 editor_selection = 0x558fd15c6c90 html = 0x558fd1496580 "<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\"><span style=\"color: rgb(0, 0, 0); font-family: myriadpro-regular, Arial, sans-serif; font-size: 15px; font-style: normal; font-varian"... __func__ = "e_composer_paste_html" #20 0x00007f85b7548d61 in request_targets_received_func (clipboard=0x558fcf7f5ee0, selection_data=selection_data@entry=0x7ffeb58e68a0, data=data@entry=0x558fd14b6fc0) at gtkclipboard.c:1325 info = 0x558fd14b6fc0 targets = 0x558fd0856fd0 n_targets = 8 #21 0x00007f85b7548ff9 in selection_received (widget=0x558fcf5d1220, selection_data=0x7ffeb58e68a0, time=<optimized out>) at gtkclipboard.c:960 request_info = 0x558fd1024e20 #22 0x00007f85b5b6c7a5 in g_closure_invoke (closure=0x558fcf1e9be0, return_value=return_value@entry=0x0, n_param_values=3, param_values=param_values@entry=0x7ffeb58e6530, invocation_hint=invocation_hint@entry=0x7ffeb58e64b0) at gclosure.c:801 marshal = <optimized out> marshal_data = <optimized out> in_marshal = 0 real_closure = 0x558fcf1e9bc0 __func__ = "g_closure_invoke" #23 0x00007f85b5b7e851 in signal_emit_unlocked_R (node=node@entry=0x558fccc28bc0, detail=detail@entry=0, instance=instance@entry=0x558fcf5d1220, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffeb58e6530) at gsignal.c:3627 tmp = <optimized out> handler = 0x558fcf1e8f00 accumulator = 0x0 emission = {next = 0x7ffeb58e6ad0, instance = 0x558fcf5d1220, ihint = {signal_id = 70, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4} class_closure = 0x558fccc28b30 handler_list = 0x558fcf1e8f00 return_accu = 0x0 accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 70 max_sequential_handler_number = 110677 return_value_altered = 0 #24 0x00007f85b5b87530 in g_signal_emit_valist (instance=instance@entry=0x558fcf5d1220, signal_id=signal_id@entry=70, detail=detail@entry=0, var_args=var_args@entry=0x7ffeb58e6768) at gsignal.c:3383 instance_and_params = 0x7ffeb58e6530 signal_return_type = <optimized out> param_values = 0x7ffeb58e6548 node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #25 0x00007f85b5b87dc5 in g_signal_emit_by_name (instance=0x558fcf5d1220, detailed_signal=detailed_signal@entry=0x7f85b75c3e83 "selection-received") at gsignal.c:3479 var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffeb58e68a0, reg_save_area = 0x7ffeb58e67b0}} detail = 0 signal_id = 70 itype = 94076144637376 __func__ = "g_signal_emit_by_name" #26 0x00007f85b746dd13 in gtk_selection_retrieval_report (info=info@entry=0x558fd1a7aef0, type=<optimized out>, format=<optimized out>, buffer=<optimized out>, length=length@entry=64, time=30218102) at gtkselection.c:3033 data = {selection = 0x45, target = 0x95, type = 0x4, format = 32, data = 0x558fd14d96b0 "\225", length = 64, display = 0x558fccbf6020} #27 0x00007f85b7471cbd in _gtk_selection_notify (widget=<optimized out>, event=0x558fd12b72f0) at gtkselection.c:2837 tmp_list = 0x7f8534ecbd20 info = 0x558fd1a7aef0 window = <optimized out> buffer = 0x558fd14d96b0 "\225" length = 64 type = 0x4 format = 32 #28 0x00007f85b73e5fda in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x558fccc28790, return_value=0x7ffeb58e6b00, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x558fccc287c0) at gtkmarshalers.c:131 cc = <optimized out> data1 = <optimized out> data2 = <optimized out> callback = <optimized out> arg0 = 0x558fd12b72f0 args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffeb58e6cb0, reg_save_area = 0x7ffeb58e6bf0}} v_return = <optimized out> __func__ = "_gtk_marshal_BOOLEAN__BOXEDv" #29 0x00007f85b5b6c9d4 in _g_closure_invoke_va (closure=closure@entry=0x558fccc28790, return_value=return_value@entry=0x7ffeb58e6b00, instance=instance@entry=0x558fcf5d1220, args=args@entry=0x7ffeb58e6bd0, n_params=<optimized out>, param_types=0x558fccc287c0) at gclosure.c:864 marshal = <optimized out> marshal_data = <optimized out> in_marshal = 0 real_closure = 0x558fccc28770 __func__ = "_g_closure_invoke_va" #30 0x00007f85b5b86dd3 in g_signal_emit_valist (instance=0x558fcf5d1220, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7ffeb58e6bd0) at gsignal.c:3292 return_accu = 0x7ffeb58e6b00 accu = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} accumulator = 0x558fccc287e0 emission = {next = 0x0, instance = 0x558fcf5d1220, ihint = {signal_id = 69, detail = 0, run_type = G_SIGNAL_RUN_LAST}, state = EMISSION_RUN, chain_type = 94076144637376} signal_id = 69 instance_type = 94076144637376 emission_return = {g_type = 20, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} rtype = 20 static_scope = 0 fastpath_handler = <optimized out> closure = <optimized out> run_type = <optimized out> l = <optimized out> fastpath = <optimized out> instance_and_params = <optimized out> signal_return_type = <optimized out> param_values = <optimized out> node = <optimized out> i = <optimized out> n_params = <optimized out> __func__ = "g_signal_emit_valist" #31 0x00007f85b5b878ff in g_signal_emit (instance=instance@entry=0x558fcf5d1220, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3439 var_args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffeb58e6cb0, reg_save_area = 0x7ffeb58e6bf0}} #32 0x00007f85b75234bc in gtk_widget_event_internal (widget=0x558fcf5d1220, event=0x558fd12b72f0) at gtkwidget.c:7692 signal_num = <optimized out> return_val = 0 handled = 0 event = 0x558fd12b72f0 widget = 0x558fcf5d1220 #33 0x00007f85b73e50b6 in gtk_main_do_event (event=0x558fd12b72f0) at gtkmain.c:1795 event_widget = 0x558fcf5d1220 grab_widget = 0x558fcf5d1220 topmost_widget = <optimized out> window_group = 0x558fd0131840 rewritten_event = <optimized out> device = 0x0 tmp_list = <optimized out> __func__ = "gtk_main_do_event" #34 0x00007f85b6f5de92 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:369 display = <optimized out> event = <optimized out> #35 0x00007f85b586de3a in g_main_dispatch (context=0x558fccbe7840) at gmain.c:3154 dispatch = 0x7f85b6f5de70 <gdk_event_source_dispatch> prev_source = 0x0 was_in_call = 0 user_data = 0x0 callback = 0x0 cb_funcs = 0x0 cb_data = 0x0 need_destroy = <optimized out> source = 0x558fccbe7750 current = 0x558fccc54d40 i = 0 #36 g_main_context_dispatch (context=context@entry=0x558fccbe7840) at gmain.c:3769 No locals. #37 0x00007f85b586e1d0 in g_main_context_iterate (context=0x558fccbe7840, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840 max_priority = 0 timeout = 0 some_ready = 1 nfds = <optimized out> allocated_nfds = 4 fds = 0x558fcf754da0 #38 0x00007f85b586e4f2 in g_main_loop_run (loop=0x558fcf32d5d0) at gmain.c:4034 __func__ = "g_main_loop_run" #39 0x00007f85b73e4325 in gtk_main () at gtkmain.c:1241 loop = 0x558fcf32d5d0 #40 0x0000558fcc45d089 in main (argc=1, argv=0x7ffeb58e7008) at main.c:660 shell = 0x558fcccc11e0 settings = <optimized out> error = 0x0 We also have a valgrind log (available on request); I think the main interesting part is: ==21341== Conditional jump or move depends on uninitialised value(s) ==21341== at 0xCEBA8FF: WTF::fastFree(void*) (in /usr/lib64/libjavascriptcoregtk-3.0.so.0.16.18) ==21341== by 0xB15E1A4: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xB15DA6B: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xB15F451: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xA9F7B32: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xA9F8173: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xA9FA28D: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xA9FA9D1: ??? (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0xB71B5DC: webkit_dom_document_exec_command (in /usr/lib64/libwebkitgtk-3.0.so.0.22.16) ==21341== by 0x5173D20: ??? (in /usr/lib64/evolution/libevolution-util.so) ==21341== by 0xF1D4BEA: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.4600.2) ==21341== by 0xF1B6B7A: ??? (in /usr/lib64/libgobject-2.0.so.0.4600.2) 1180016 7 mcatanzaro 2016-04-01 19:46:12 -0700 Comment from the downstream bug: """Ok, I've done a bit more experimentation and I think I can give you some additional info, hopefully even useful! If I have my email format set to Plain Text, I cannot get the crash that I reported regardless of how or what I copy/paste. If I have the email format set to HTML, I cannot get the crash if I copy plain text into the email. However, If I copy HTML text into the email I can reproduce the crash every time. The specific steps to reproduce are as follows: - Click New > Compose Email Message - Enter any email address in 'To:' - Enter anything into 'Subject" - Go to any webpage, and highlight a few lines - Click 'ctrl c' - Place cursor into the body of the open Compose Message window - Click 'ctrl v' - Crash will occur 100% of time for me. The trick seems to be to have the email formatting to be HTML and then copy-paste HTML content. Hopefully this is helpful.""" Seems it's 100% reproducible for some users, but not for others. 1180276 8 tpopela 2016-04-03 22:39:12 -0700 (In reply to comment #7) > Seems it's 100% reproducible for some users, but not for others. It would be easy to bisect to the bad commit, but when we can't reproduce this on our machines:/. 1180339 9 tpopela 2016-04-04 03:41:12 -0700 With Milan we figured out that this backported change http://trac.webkit.org/changeset/197274 had a follow-up (security bug) http://trac.webkit.org/changeset/165044 that was not backported and is causing the crash. 1180354 10 mcatanzaro 2016-04-04 06:57:38 -0700 Just an FYI, we're up to 1,871 reports of this crash, i.e. we got over 500 new reports over this past weekend. 1180373 11 cgarcia 2016-04-04 08:33:49 -0700 (In reply to comment #10) > Just an FYI, we're up to 1,871 reports of this crash, i.e. we got over 500 > new reports over this past weekend. I'll fix t and make a new release as soon as I find the time 1182533 12 cgarcia 2016-04-10 00:54:02 -0700 Patch backported to 2.4 branch in r199282. Thanks!